RDP를 이용해 감염 시스템을 제어하는 Kimsuky 위협 그룹
2023-10-16 • Ahnlab • Kimsuky threat group controls infected systems using RDP •
AhnLab describes Kimsuky intrusions that use presumed spear phishing to install BabyShark and then add RDP-focused tooling for hands-on control of infected Windows systems. The activity includes hwp.bat, PowerShell keylogging through k.ps1 and OneNote.vbs, loaders such as pow.ps1 and desktop.r7u, and injector behavior tied to xRAT or related malware in earlier cases. Follow-on payloads include multiple.exe, which modifies termsrv.dll, enables multiple RDP sessions, creates a hidden IIS_USER administrator account, and supports stealthier remote access. A newer RevClient component receives C2 commands, can add or hide accounts, and forwards attacker traffic to local RDP through 5.61.59.53:2086.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | c8d589ac5c872b12e502ec1fc2fee0c7 | 2023-10-16 | 2024-10-01 |
| IPv4 | 5.61.59.53 | 2023-10-16 | 2024-08-22 |
| HASH | be2f73a637258aa872bdf548daf55336 | 2023-10-16 | 2023-10-17 |
| HASH | 7313dc4d9d6228e442fc6ef9ba5a1b9a | 2023-10-16 | 2023-10-17 |
| HASH | 02804d632675b2a3711e19ef217a2877 | 2023-10-16 | 2023-10-17 |
| HASH | 116a71365b83cc38211ccfc8059b363e | 2023-10-16 | 2023-10-17 |
| HASH | ad9a3e893abdac7549a7d66ca32142e8 | 2023-10-16 | 2023-10-17 |
| HASH | 0d6717c3fa713c5f5f5cb0539b94b84f | 2023-10-16 | 2023-10-17 |
| HASH | 2dbe8e89310b42e295bfdf3aad955ba9 | 2023-10-16 | 2023-10-17 |
| HASH | 0d691673af913dc0942e55548f6e2e4e | 2023-10-16 | 2023-10-17 |
| URL | https://onessearth.online/up/up… | 2023-10-16 | 2023-10-17 |
| URL | https://powsecme.co/up/upload_d… | 2023-10-16 | 2023-10-17 |
| DOMAIN | onessearth.online | 2023-10-16 | 2023-10-17 |
| DOMAIN | powsecme.co | 2023-10-16 | 2023-10-17 |